[ https://issues.apache.org/jira/browse/QPID-8279?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alex Rudyy resolved QPID-8279. ------------------------------ Resolution: Fixed > [Broker-J] Upgrade Jackson dependencies > --------------------------------------- > > Key: QPID-8279 > URL: https://issues.apache.org/jira/browse/QPID-8279 > Project: Qpid > Issue Type: Improvement > Components: Broker-J > Affects Versions: qpid-java-broker-7.0.3, qpid-java-broker-7.0.2, > qpid-java-broker-7.0.0, qpid-java-broker-7.0.1, qpid-java-broker-7.1.0, > qpid-java-broker-7.0.4, qpid-java-broker-7.0.5, qpid-java-broker-7.0.6 > Reporter: Alex Rudyy > Assignee: Alex Rudyy > Priority: Major > Fix For: qpid-java-broker-7.0.7, qpid-java-broker-8.0.0, > qpid-java-broker-7.1.1 > > > The CVE vulnerabilities > [14718|https://nvd.nist.gov/vuln/detail/CVE-2018-14718], > [CVE-2018-14719|https://nvd.nist.gov/vuln/detail/CVE-2018-14719], > [CVE-2018-14720|https://nvd.nist.gov/vuln/detail/CVE-2018-14720], > [CVE-2018-14721|https://nvd.nist.gov/vuln/detail/CVE-2018-14721] have been > reported against jackson-databind library 2.x versions below 2.9.7. > Whilst Apache Qpid Broker-J distributions include a version of > jackson-databind that is affected by the vulnerability, it is believed that > Apache Qpid Broker-J product itself is NOT AFFECTED by this vulnerability. > This is because Broker-J code never enables Jackson's > polymorphic deserialisation features: specifically it never makes calls to > ObjectMapper#enableDefaultTyping(...) nor does it use TypeResolverBuilders or > annotations that enable the feature. > Though Apache Qpid Broker-J is not affected by the vulnerabilities, this JIRA > will upgrade the dependencies of Broker-J to versions of the jackson-databind > dependencies that are not vulnerable: > * master (upgrade from 2.9.5 to 2.9.8) > * 7.1.x (upgrade from 2.9.5 to 2.9.8) > * 7.0.x (upgrade from 2.8.11.1 to 2.8.11.3) > Please note that no upgrade of jackson-databind dependencies will be done for > 6.0.x and 6.1.x versions. The 6.0.x and 6.1.x brokers can be upgraded to > 7.1.x. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org